CURL-CVE-2022-32207

See a problem?
Source
https://curl.se/docs/CVE-2022-32207.html
Import Source
https://curl.se/docs/CURL-CVE-2022-32207.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2022-32207
Aliases
Published
2022-06-27T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
Non-preserved file permissions
Details

When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target filename.

In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.

References
Credits
    • Harry Sintonen - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.69.0
Fixed
7.84.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
b834890a3fa3f525cd8ef4e99554cdb4558d7e1b
Fixed
20f9dd6bae50b7223171b17ba7798946e74f877f

Affected versions

7.*

7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1